diff --git a/tests/mqtt-frames-truncated/README.md b/tests/mqtt-frames-truncated/README.md new file mode 100644 index 000000000..6f1bc9da2 --- /dev/null +++ b/tests/mqtt-frames-truncated/README.md @@ -0,0 +1,11 @@ +Description +=========== +Test MQTT frames[Pdu, Header, Data] for truncated messages where msg_len > max_msg_size. + +PCAP +==== +PCAP comes from the suricata verify test[mqtt-limit-1] + +Redmine ticket +============== +https://redmine.openinfosecfoundation.org/issues/5731 \ No newline at end of file diff --git a/tests/mqtt-frames-truncated/suricata.yaml b/tests/mqtt-frames-truncated/suricata.yaml new file mode 100644 index 000000000..7220b4216 --- /dev/null +++ b/tests/mqtt-frames-truncated/suricata.yaml @@ -0,0 +1,18 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + - alert + - frame + +app-layer: + protocols: + mqtt: + enabled: yes + max-msg-length: 50000 \ No newline at end of file diff --git a/tests/mqtt-frames-truncated/test.rules b/tests/mqtt-frames-truncated/test.rules new file mode 100644 index 000000000..e3030769a --- /dev/null +++ b/tests/mqtt-frames-truncated/test.rules @@ -0,0 +1,11 @@ +alert mqtt any any -> any any (msg:"mqtt truncated Frame 1"; frame:pdu; content:"|32 a7 8d|"; startswith; sid:1;) +alert mqtt any any -> any any (msg:"mqtt truncated Frame 2"; frame:pdu; content:"|58 58 58|"; endswith; sid:2;) + +alert mqtt any any -> any any (msg:"mqtt truncated Frame 3"; frame:header; content:"|32|"; sid:3;) +alert mqtt any any -> any any (msg:"mqtt truncated Frame 4"; frame:header; content:"|30|"; sid:4;) + +alert mqtt any any -> any any (msg:"mqtt truncated Frame 5"; frame:pdu; content:"|17 0C E2|"; sid:5;) +alert mqtt any any -> any any (msg:"mqtt truncated Frame 6"; frame:pdu; content:"|00 00 54 46|"; sid:6;) + +alert mqtt any any -> any any (msg:"mqtt truncated Frame 7"; frame:trunc.data; content:"|00 03|"; startswith; sid:7;) +alert mqtt any any -> any any (msg:"mqtt truncated Frame 8"; frame:trunc.data; content:"|58 58 58|"; sid:8;) \ No newline at end of file diff --git a/tests/mqtt-frames-truncated/test.yaml b/tests/mqtt-frames-truncated/test.yaml new file mode 100644 index 000000000..fa2a6bc5f --- /dev/null +++ b/tests/mqtt-frames-truncated/test.yaml @@ -0,0 +1,60 @@ +pcap: ../mqtt-limit-1/input.pcap + +requires: + min-version: 7 + +args: + - -k none + +checks: +- filter: + count: 1 + match: + alert.signature_id: 1 + frame.type: "pdu" +- filter: + count: 2 + match: + alert.signature_id: 2 + frame.type: "pdu" + frame.complete: true +- filter: + count: 3 + match: + alert.signature_id: 3 + frame.type: "header" + frame.complete: true +- filter: + count: 1 + match: + alert.signature_id: 4 + frame.type: "header" + frame.length: 4 + frame.complete: true +- filter: + count: 0 + match: + alert.signature_id: 5 +- filter: + count: 0 + match: + alert.signature_id: 6 +- filter: + count: 2 + match: + alert.signature_id: 7 + frame.type: "trunc.data" +- filter: + count: 2 + match: + alert.signature_id: 8 + frame.type: "trunc.data" +- filter: + count: 1 + match: + event_type: mqtt + mqtt.publish.qos: 0 + mqtt.publish.retain: false + mqtt.publish.dup: false + mqtt.publish.truncated: true + mqtt.publish.skipped_length: 100009 \ No newline at end of file diff --git a/tests/mqtt-frames/README.md b/tests/mqtt-frames/README.md new file mode 100644 index 000000000..4ebd816ed --- /dev/null +++ b/tests/mqtt-frames/README.md @@ -0,0 +1,11 @@ +Description +=========== +Test MQTT frames[Pdu, Header, Data]. + +PCAP +==== +PCAP comes from the suricata verify test[mqtt5-pub-userpass] + +Redmine ticket +============== +https://redmine.openinfosecfoundation.org/issues/5731 \ No newline at end of file diff --git a/tests/mqtt-frames/input.pcap b/tests/mqtt-frames/input.pcap new file mode 100644 index 000000000..9b4ec516b Binary files /dev/null and b/tests/mqtt-frames/input.pcap differ diff --git a/tests/mqtt-frames/test.rules b/tests/mqtt-frames/test.rules new file mode 100644 index 000000000..f3b053b3d --- /dev/null +++ b/tests/mqtt-frames/test.rules @@ -0,0 +1,11 @@ +alert mqtt any any -> any any (msg:"mqtt Frame 1"; frame:pdu; content:"|10 2f 00|"; startswith; sid:1;) +alert mqtt any any -> any any (msg:"mqtt Frame 2"; frame:pdu; content:"|61 73 73|"; endswith; sid:2;) + +alert mqtt any any -> any any (msg:"mqtt Frame 3"; flow:to_server; frame:header; content:"|10|"; sid:3;) +alert mqtt any any -> any any (msg:"mqtt Frame 4"; frame:header; content:"|20|"; sid:4;) + +alert mqtt any any -> any any (msg:"mqtt Frame 5"; frame:pdu; content:"|17 0C E2|"; sid:5;) +alert mqtt any any -> any any (msg:"mqtt Frame 6"; frame:pdu; content:"|00 00 54 46|"; sid:6;) + +alert mqtt any any -> any any (msg:"mqtt Frame 7"; frame:data; content:"|00 00 03 22|"; startswith; sid:7;) +alert mqtt any any -> any any (msg:"mqtt Frame 8"; frame:data; content:"|00 06|"; sid:8;) \ No newline at end of file diff --git a/tests/mqtt-frames/test.yaml b/tests/mqtt-frames/test.yaml new file mode 100644 index 000000000..2ea13450a --- /dev/null +++ b/tests/mqtt-frames/test.yaml @@ -0,0 +1,52 @@ +requires: + min-version: 7 + +args: + - -k none + +checks: +- filter: + count: 1 + match: + alert.signature_id: 1 + frame.type: "pdu" + frame.length: 49 +- filter: + count: 1 + match: + alert.signature_id: 2 + frame.type: "pdu" + frame.complete: true +- filter: + count: 1 + match: + alert.signature_id: 3 + frame.type: "header" + frame.complete: true +- filter: + count: 1 + match: + alert.signature_id: 4 + frame.type: "header" + frame.length: 2 + frame.complete: true +- filter: + count: 0 + match: + alert.signature_id: 5 +- filter: + count: 0 + match: + alert.signature_id: 6 +- filter: + count: 1 + match: + alert.signature_id: 7 + frame.type: "data" + frame.complete: true +- filter: + count: 1 + match: + alert.signature_id: 8 + frame.type: "data" + frame.complete: true \ No newline at end of file